Impact
Based on the updated description, the flaw in Log4j’s JsonTemplateLayout occurs when serialization encounters non‑finite floating‑point values such as NaN, Infinity, or –Infinity. Because these values are not permitted by the JSON standard (RFC 8259), the layout emits malformed JSON. The malformed data can cause downstream log processing, indexing, or monitoring systems that receive these logs to reject the records or crash, corrupting audit trails and potentially leading to loss of logs or service interruption. In addition, the CVE note indicates that the fix in 2.25.4 does not cover all affected code paths; a related issue in MapMessage.asJson() serialization is addressed in later releases (2.25.5/2.26.1) under CVE-2026-49844.
Affected Systems
Affected are Apache Log4j JsonTemplateLayout releases up through 2.25.3. The vendor’s advisory recommends upgrading to 2.25.4 or a later release to apply the fix, which corrects the serialization logic for some but not all code paths that produce JSON output.
Risk and Exploitability
The CVSS score of 6.3 indicates a medium‑severity vulnerability, while the EPSS value of less than 1% and absence from the CISA KEV catalog suggest a low probability of active exploitation. An attacker must meet two conditions to exploit the issue: the application must use JsonTemplateLayout and the attacker must be able to force the application to log a MapMessage or an object containing an attacker‑controlled non‑finite floating‑point value. The attack vector is therefore only viable in environments where user input is logged by JsonTemplateLayout; if those conditions are satisfied, the attacker could trigger failures or crashes in downstream log ingesters, potentially causing a denial of service. Note that while 2.25.4 addresses the majority of code paths, the remaining serialization flaw in MapMessage.asJson() requires 2.25.5 or later for full remediation.
OpenCVE Enrichment
Github GHSA